.. its fairly easy to stop the form spam.

[singersower]

So I read this in the other post and I'm wondering how is this?

I have a site that I have implemented CAPTCHA with all the forms and the poor company keeps getting all kinds of nasty emails.

Can anyone point me in the right direction for what I should be looking for?

This site is on a Windows server and as far as I can tell, does not have an IP deny for their email. Do they need to change hosts and get one that has an IP deny capability or is there another way to stop the madness?

thank you so much for taking time to help

[crmalibu]

My first thought is that the captcha implementation is flawed. Consider doing some analytics on the forms, and the code logic. Make sure these emails really are coming from the forms.

You may also want to look at
http://spamassassin.apache.org/

[wwb_99]

Well, the spam could be coming from alot of places, not necessarily their form. Upgrading to a decent mail service with some spam filters should help, as should a good anaysis of the site's mail forms for any flaws.

[colinmcc]

Various strategies to stop forum or, indeed, any automatic 'bot' form posting that can be implemented I know off include:

If a submission includes html rather than allowable characters , then simply don't display/store/email it.

When a form is submitted amongst other info in the header is the ip from which it was posted. So you should be able to ban posts from that IP. (Problematic however if it is a big service provider like AOL. Also ip allocation can be dynamic, the ip you get from your provider may be given to someone else next time you log out and back in. More usual with dial up services though)

Use of a Capcha see http://en.wikipedia.org/wiki/Capcha (software can now break most of these)

Use of Maths Capcha (ask the user to do a simple sum) (Again can be broken by simple software, harder if the numbers are turned into pictures before being displayed)

Show a random picture, eg cat, cow etc and ask the user what is in the picture. (Fiddly but works well) etc

Add a hidden field to the form that the client browser doesn't display. The robot will not know that it shouldn't be filled in and will do so. If the Server receives a form with that field filled in, it wasn't submitted by a human (good method, but some speech readers for blind folk may read it out, so not totally foolproof in stopping humans from filling it in)

And, finally the one I like, send a time-stamp out as part of the form from the server, put it in a hidden field. When the form is returned (submitted) check the server time-stamp again and compare with the timestamp in the hidden field. Let's say we use 20 secs as our threshold. If the form is returned within 20 secs it is likely that a computer filled it in and returned it, if it took more than 20 secs then probably a human read it before filling it in..

A combination of the three, a picture based maths capcha, hidden form field and minimum time mean that as far as I can tell none of the forms I create get any automated postings.

Anyone have any more ideas? I'd love to hear about them.

[jeffct]

Are you sure they are not sending spam directly to the email addresses? Having a Captcha on an email form won't stop them from emailing directly if they know the address.

It may sound stupid, but also check that the Captcha is actually verified. If there is a way to submit the form even when the Captcha is incorrect, it obviously won't prevent anything.

[UglyDogDesigns]

I also had this problem and if it is a bot that scanned your pages to pull email addresses like it did mine then what worked for me was to break up your email address into pieces like the following...The bots cant seem to read the scripts...

Code:

<&#37;
ToAdP1 = "user"
ToAdP2 = "domain"
ToAdP3 = "com"
ToAddress = ToAdP1 & "@" & ToAdP2 & "." & ToAdP3
%>

Then just add the ToAddress variable to where you address the To object for sending the email message...

...
objMessage.To = ToAddress
...

[r937]

here's my approach --

if the contents of the form contain the substring 'http://' anywhere, it's spam, so they get a 403

would a spammer be a spammer if no url is included in the message?